The term “Multiple Independent Levels of Security” refers to a computer system architecture based on the concepts of information separation by security levels and controlled information flow between environments operating at the different security levels. The control of information flow between the different environments is carried out by devices referred to as “guard sanitizers” or “cross domain solutions” which perform inspection, redaction and blocking of messages sent between the environments according to a set of pre-defined rules. A ‘message’ in this context is a collection of digital data bits which may represent a message's contents, a message's origin and destination addresses and metadata about the message such as its length and parity. The environments on each side of a guard-sanitizer may each consist of computers and peripheral devices connected by a network such as Ethernet, MIL-STD-1553B, serial link, etc. Guard-sanitizers are themselves computer systems which contain rule sets used to examine each message sent from a system or peripheral in one security environment to a system or peripheral in the other. The rule set describes which messages can be passed between environments without alteration, which can be passed with specific alterations and which must be blocked. Guard-sanitizers with programmable rule sets have been available for several years but are generally designed to handle multiple users over multiple network connections of multiple types with very complex rule sets. Available systems are usually based on general purpose, secure operating system kernels such as variations of UNIX and provide very general capability. They may host the design of rule sets on the guard-sanitizers themselves. Their complexity makes security accreditation of such guard-sanitizers quite difficult and the resulting guard-sanitizer systems costly and time-consuming to implement in both non-recurring and recurring engineering.
In contrast, the invention described here (an embedded guard-sanitizer) answers the need for a special purpose apparatus for those applications which have a very specific and predictable structure of messages as in the communication of a high-security-level control system with a low-security-level peripheral device over a local network, or a weapon control system with an expendable weapon over a digital data network or link. Such a device should be simple, small, low power and embeddable wherever it is needed. Here the complexity and generality of previously developed guard-sanitizer solutions is not warranted.